Data Security Policy
1. Security Overview
Quibit Suite handles sensitive business data: sales transactions, financial records, employee information, and customer data. We apply enterprise-grade security practices to protect this information at every layer.
This policy describes the technical and operational security controls in place for Quibit Suite.
We designed Quibit Suite with security-first architecture. Access controls, encryption, and audit logging are built into the core platform — not added as afterthoughts.
2. Encryption
All data in Quibit Suite is protected by industry-standard encryption:
2.1 Data in Transit
All API communication uses TLS 1.3
Mobile app traffic is certificate-pinned against known intermediaries
WebSocket connections (real-time features) use WSS (WebSocket Secure)
CDN delivery of files uses HTTPS with HSTS headers
2.2 Data at Rest
Database contents encrypted with AES-256
File storage (Bunny CDN) uses server-side encryption
Backups are encrypted before transfer to backup storage
Passwords stored using bcrypt with unique per-user salts — never plaintext
Payment gateway tokens stored encrypted — raw card or account numbers are never stored
2.3 Key Management
Encryption keys are managed via a dedicated secret management system
Keys are rotated on a scheduled basis
Access to encryption keys is restricted to platform infrastructure — not individual engineers
3. Access Control
Quibit Suite enforces strict access controls at every layer:
3.1 Authentication
JWT-based authentication with short-lived access tokens (15-minute expiry)
Refresh tokens stored securely with rotation on each use
Optional two-factor authentication (2FA) for business owners
Forced re-authentication for sensitive operations (exporting data, changing billing)
Session invalidation on password change
3.3 Quibit, Inc. Employee Access
No Quibit employee has standing access to business data
Support access requires explicit authorization per ticket
All internal access is logged with reason codes
Access is revoked immediately when the support case closes
4. Audit Logging
Quibit Suite maintains comprehensive audit logs for all sensitive business operations:
4.1 What Is Logged
All POS transactions: sales, voids, refunds — with timestamp, user, and device
Financial record creation, edits, and deletions
Team member invitations, permission changes, and removals
Login events: success, failure, and suspicious attempts
Data exports and report downloads
Settings changes: billing, permissions, public page configuration
File uploads and deletions
4.2 Log Integrity
Audit logs are append-only — no user (including owners) can modify or delete log entries
Logs are replicated to a separate, isolated logging system
Logs are retained for 3 years for business account holders
4.3 Business Owner Access to Logs
Owners and admins can view audit logs from Settings > Audit Log
Logs can be filtered by user, date range, and action type
Logs can be exported as CSV for external compliance review
5. POS Security
Point of Sale transactions require enhanced security controls:
5.1 Transaction Integrity
Each transaction is assigned a unique, non-sequential ID to prevent enumeration attacks
Transaction amounts are validated server-side — client-side manipulation is rejected
Voided transactions remain in the audit trail with void reason and operator
Receipts are generated server-side — they cannot be forged client-side
Daily sales totals are computed from individual transaction records — not from aggregates that could be manipulated
5.2 Payment Security
Payment processing is delegated to certified payment gateways (KBZPay, Wave, AYA Pay, CB Pay)
We receive gateway references, not raw payment credentials
Payment webhook endpoints are authenticated via HMAC signature verification
Refunds require owner/admin authorization — staff cannot initiate refunds independently
6. Infrastructure Security
The Quibit Suite backend infrastructure follows defense-in-depth principles:
6.1 Network Security
API servers sit behind a load balancer with DDoS mitigation
Database servers are not publicly accessible — accessible only from application tier
Network traffic between services uses mutual TLS within our infrastructure
Firewall rules are reviewed quarterly
6.2 Application Security
All API inputs validated using class-validator DTOs (NestJS)
SQL injection prevented by parameterized queries via Mongoose/TypeORM
Rate limiting on all public endpoints (general: 100 req/min; auth: 5 attempts/15 min)
CORS policy restricts cross-origin access to known first-party domains
Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, CSP
6.3 Vulnerability Management
Dependencies audited weekly via automated security scanning
Critical CVEs patched within 48 hours of disclosure
Annual third-party penetration test of the Suite API and mobile apps
Responsible disclosure program — report vulnerabilities to [email protected]
7. File & Storage Security
Files uploaded to Quibit Suite (receipts, invoices, product images, documents) are stored on Bunny CDN:
7.1 File Access Control
Private files (invoices, receipts, business documents) require authenticated access
Public files (product images, business logos) use signed CDN URLs with expiry
File access is scoped to the business that owns the file
No cross-business file access is possible
7.2 Storage Lifecycle
Deleted files move to Trash — accessible for 30 days before permanent deletion
Permanent deletion removes the file from CDN within 24 hours
Storage quotas prevent runaway storage use (Free: 5 GB, Pro: 50 GB, Business: 250 GB)
8. Security Incident Response
In the event of a security incident affecting Quibit Suite:
8.1 Our Response Process
Incident detected via automated monitoring or responsible disclosure
Triage and severity classification within 1 hour
Containment within 4 hours for critical incidents
Affected business owners notified within 72 hours of confirmed breach
Detailed incident report published within 30 days
Regulatory notifications filed per applicable law (GDPR: 72-hour rule)
8.2 What We Tell You
What data was affected and which businesses are impacted
How the breach occurred (root cause summary)
Steps we have taken to contain and remediate
Recommended actions for affected owners (e.g., reset credentials, notify customers)
Contact point for follow-up questions
9. Recommendations for Business Owners
We encourage business owners to follow these security best practices:
9.1 Account Security
Enable two-factor authentication (2FA) on your owner account
Use a strong, unique password not shared with other services
Review your team's permissions regularly — remove access for staff who leave
Monitor your audit log for unexpected activity
Log out of shared devices after use
9.2 Staff Access Management
Grant minimum necessary permissions — not every staff member needs financial access
Deactivate staff accounts immediately on termination
Never share a single login among multiple staff — each person gets their own account
Review active sessions from Settings > Security
10. Contact Security Team
To report a security vulnerability, suspected breach, or unauthorized access:
For questions about this policy, contact [email protected]
© 2026 Quibit, Inc. · Version 1.0· Last updated 2026-05-25